Since 2004, a source for ranting, reviews and InfoSec news

Menu

Firefox to Suggest Flash Updates

Firefox recently announced that a soon to be released version will check for Flash updates in addition to updating Firefox. That should be helpful for end users.
As with any news people of course have their own axe to grind and put their own spin on things. Wolfgang Kandek writes about this development in a Qualys blog adding “Now we just need to convince Hillary Clinton to let the Department of State use Firefox.”
I dont see how this change would cause an enterprise to switch browsers. In an enterprise this Firefox Flash update reminder should be pretty much worthless. If an Enterprise has deployed Firefox then it has probably deployed Flash for Firefox. If its deployed Flash for Firefox, than the company should be deploying updates for it. Enterprises have patch cycles and testing. They often disable built in update mechanisms and deploy updates through SMS/Patchlink/Bigfix/etc. Is it possible for enterprises to disable this functionality, perhaps through FirefoxADM?
Far from being the crowning achievement in Firefox security, I think this Flash update checker could potentially be a problem. I notice the screenshot taken by Wolfgang does not show a SSL site in use when the user is prompted to upgrade. It seems to me that this Flash update mechanism is prime for Phishing. Spyware for Firefox has already masqueraded recently as a Flash update. I think this update mechanism’s delivery method as shown in Wolfgang’s screenshot primes phishing victims.